Groups and Permissions
After a group is created, you can associate permissions with it. When you grant permission to a group, you are, in effect, granting that same permission to each user in the group.
Groups are a convenient way to give the same permissions to many users at once.
Groups also make managing the permissions easy by allowing you to add users to (and remove users from) the group. For example, grant the payroll group insert, delete, and select permissions on the payroll tables, which gives all the users in the group those permissions. If an employee leaves the payroll department, or if a new employee joins, you simply have to drop or add a user from the group, without modifying the permissions. Similarly, if you find that the group needs fewer or more permissions, revoke or grant the permissions once, for the entire group, rather than individually for each member of the group.
Being a member of a group, however, does not automatically give a user the permissions granted to the group. Users must specifically identify themselves as part of a group to be allowed the associated permissions.
A user can be identified as part of a group in two ways:
• Specifying a group ID at session startup
• Specifying a default group for the user. A default group is specified for a user using the SQL statements CREATE USER or ALTER USER.
Specifying Group ID at Session Startup
When starting a session, a user can specify a group identifier, as follows:
• On the –G flag for many system commands. For details, see the Command Reference Guide.
• With the CONNECT statement as part of an application.
• As part of the connection profile for an OpenROAD session. For more information, see online help for the Create Connection Profile dialog in OpenROAD.